Originally posted by starshipeleven
View Post
Also, this may come as a shock, something neither vendor warns you about is that if you start each site in a Private/Incognito window - these "private" windows are run in a shared process space, and with shared cookie/cache/webworker/localStorage etc.
For an example, open a new Incognito window and open this HTML5 Halma game. Play a few moves then create another new Incognito window and open the same link in it. See how you are instantly recognised in the supposedly "private" window. And if you think about it for a second, this has to be the case or popups with shared session state would be impossible, so I'm not complaining, just pointing it out so people are aware.
Again the per-site process isolation that Chrome offers still runs frames for different sites in the same process space as the site in the location bar. That means that the ad iframes and social media buttons on sites today are all running in the same address space as the site you might think they are isolated from, and many sites can share CDN script repos such as cdnjs, googleapis,etc. Any entity which can spoof the SSL certs of those sites can MITM you without your knowledge, PWN your sessions, and hijack one from another, without leveraging any exploits in your browser whatsoever. Who can spoof those certs? NSA and DOD at the very least - anyone who can get their hands on a root CA cert that's recognised by your browser. Major issuers have had leaks, ie DigiNotar, C.O.M.O.D.O, StartCOM/WoSign...
Sorry I'm digressing but seriously, people fail to recognise what a security nightmare this all is to begin with. There's a little lock on the location bar and it makes people feel all fuzzy and warm but it only protects you from highly-un-organized crime.
Leave a comment: